CentOS 5.5 加固方案

CentOS 5.5 加固方案

目录

1.硬盘分区顺序：… 2

2.修改gdm配置文件开启xdmcp. 2

3.设置口令策略满足复杂度要求… 2

4.新建一个普通用户并设置高强度密码：… 2

5.参看disk性能… 3

6.禁止除root外帐户使用at/cron. 3

7.闭那些不需要的服务… 3

8.IP协议安全配置… 4

9.升级操作系统… 4

10.数据完整性监测系统的构建（ Tripwire ）… 5

 
1.硬盘分区顺序：

swap         8G

/var    8G

/usr  4G

其他自由分配

 
2.修改gdm配置文件开启xdmcp

vi /etc/gdm/custom.conf

[security]

DisallowTCP=false

[xdmcp]

Enable=true

 
3.设置口令策略满足复杂度要求

执行备份：

#cp -p /etc/login.defs /etc/login.defs_bak

#cp -p /etc/passwd /etc/passwd_bak

执行下列命令，编辑/etc/login.defs

#vi /etc/ login.defs

修改以下各项复杂度参数：

PASS_MAX_DAYS   90

PASS_MIN_LEN    8

PASS_WARN_AGE   7

#passwd –l username

 
4.新建一个普通用户并设置高强度密码：

#useradd username

#passwd username

#usermod -G wheel username

#vi /etc/pam.d/su

#auth required /lib/security/$ISA/pam_wheel.so use_uid 　 ← 找到此行，去掉行首的“#”

↓

auth required /lib/security/$ISA/pam_wheel.so use_uid　 ← 变为此状态（大约在第6行的位置）

# echo “SU_WHEEL_ONLY yes” >> /etc/login.defs　← 添加语句到行末

禁止root用户远程登录系统：

#vi /etc/securetty

去掉console前面的注释，保存退出

# vi /etc/ssh/sshd_config

将PermitRootLogin后的yes改为no

将PORT改为1000以上端口Port 10000

不允许使用低版本的SSH协议将#protocol 2,1改为protocol 2

#vi /etc/aliases 　 ← 编辑aliases，添加如下行到文尾

root: yourname@yourserver.com
5.参看disk性能

# hdparm -Tt /dev/sda

/dev/sda:

Timing cached reads:   16988 MB in  2.00 seconds = 8502.65 MB/sec

Timing buffered disk reads:  334 MB in  3.02 seconds = 110.65 MB/sec

 
6.禁止除root外帐户使用at/cron

# cd /etc

#cp -p cron.deny cron.deny_bak

#cp -p at.deny at.deny_bak

添加root到cron.allow和at.allow，并删除cron.deny和at.deny。

#rm -f cron.deny at.deny

#echo root >cron.allow

#echo root >at.allow

#chown root:sys cron.allow at.allow

#chmod 400 cron.allow at.allow

 
7.闭那些不需要的服务

以下仅列出需要启动的服务，未列出的服务一律关闭：
#setup
acpid
anacron
cpuspeed
crond

gpm

iptable

rqbalance 仅当服务器CPU为S.M.P架构或支持双核心、HT技术时，才需开启，否则关闭。
lvm2-monitor

microcode_ctl
network

ntpd
random
sendmail
sshd
syslog
yum-updatesd
8.IP协议安全配置

#vi /etc/modprobe.conf
alias net-pf-10 off
alias ipv6 off
#shutdown -r now

#vi /etc/sysctl.conf
net.ipv4.conf.default.accept_source_route=0
net.ipv4.icmp_echo_ignore_broadcasts=1
net.ipv4.icmp_echo_ignore_all=1
net.ipv4.icmp_ignore_bogus_error_responses=1
net.ipv4.ip_conntrack_max=65535
net.ipv4.tcp_syncookies=1
net.ipv4.tcp_syn_retries=1
net.ipv4.tcp_fin_timeout=5
net.ipv4.tcp_synack_retries=1
net.ipv4.tcp_syncookies=1
net.ipv4.route.gc_timeout=100
net.ipv4.tcp_keepalive_time=500
net.ipv4.tcp_max_syn_backlog=10000

 
9.升级操作系统

[root@centos root]#yum updata all

 
10.数据完整性监测系统的构建（ Tripwire ）

[root@centos root]#wget http://nchc.dl.sourceforge.net/project/tripwire/tripwire-src/tripwire-2.4.2-src/tripwire-2.4.2-src.tar.bz2

[root@centos root]#tar -jxvf tripwire-2.4.2-src.tar.bz2

[root@centos root]#cd tripwire-2.4.2-src]

[root@centos tripwire-2.4.2-src]# ./configure

checking build system type… x86_64-unknown-linux-gnu

checking host system type… x86_64-unknown-linux-gnu

checking target system type… x86_64-unknown-linux-gnu

checking for a BSD-compatible install… /usr/bin/install -c

checking whether build environment is sane… yes

checking for gawk… gawk

checking whether make sets $(MAKE)… yes

checking for gcc… no

checking for cc… no

checking for cl.exe… no

configure: error: no acceptable C compiler found in $PATH   //缺少c编译环境，我们来安装一个gcc

See `config.log’ for more details.

[root@centos tripwire-2.4.2-src]# yum install gcc gcc-c++

[root@centos tripwire-2.4.2-src]# make

[root@centos tripwire-2.4.2-src]# make install

……………………………………………

Public License instead of this License.

Please type “accept” to indicate your acceptance of this

license agreement. [do not accept] accept  //同意许可证

Using configuration file ./install/install.cfg

Checking for programs specified in install configuration file….

/usr/sbin/sendmail -oi -t exists.  Continuing installation.

/bin/vi exists.  Continuing installation.

———————————————-

Verifying existence of binaries…

./bin/siggen found

./bin/tripwire found

./bin/twprint found

./bin/twadmin found

This program will copy Tripwire files to the following directories:

TWBIN: /usr/local/sbin

TWMAN: /usr/local/man

TWPOLICY: /usr/local/etc

TWREPORT: /usr/local/lib/tripwire/report

TWDB: /usr/local/lib/tripwire

TWSITEKEYDIR: /usr/local/etc

TWLOCALKEYDIR: /usr/local/etc

CLOBBER is false.

Continue with installation? [y/n]y  //确认继续安装

———————————————-

Creating directories…

/usr/local/sbin: already exists

/etc/tripwire: created

/usr/local/lib/tripwire/report: created

/usr/local/lib/tripwire: already exists

/etc/tripwire: already exists

/etc/tripwire: already exists

/usr/local/man: already exists

/usr/local/doc/tripwire: created

———————————————-

Copying files…

/usr/local/doc/tripwire/README: copied

/usr/local/doc/tripwire/Release_Notes: copied

/usr/local/doc/tripwire/COPYING: copied

/usr/local/doc/tripwire/TRADEMARK: copied

/usr/local/doc/tripwire/policyguide.txt: copied

/etc/tripwire/twpol-Linux.txt: copied

———————————————-

The Tripwire site and local passphrases are used to

sign a variety of files, such as the configuration,

policy, and database files.

Passphrases should be at least 8 characters in length

and contain both letters and numbers.

See the Tripwire manual for more information.

———————————————-
[!--empirenews.page--]副标题[/!--empirenews.page--]

Creating key files…

(When selecting a passphrase, keep in mind that good passphrases typically

have upper and lower case letters, digits and punctuation marks, and are

at least 8 characters in length.)

Enter the site keyfile passphrase: 　← 输入“site keyfile”口令（输入后不会显示），并且记住这个口令

Verify the site keyfile passphrase: 　← 再次确认“site keyfile”口令

Generating key (this may take several minutes)…Key generation complete.

(When selecting a passphrase, keep in mind that good passphrases typically

have upper and lower case letters, digits and punctuation marks, and are

at least 8 characters in length.)

Enter the local keyfile passphrase: 　← 输入“local keyfile”口令（输入后不会显示），并且记住这个口令

Verify the local keyfile passphrase: 　← 再次确认“local keyfile”口令

Generating key (this may take several minutes)…Key generation complete.

———————————————-

Generating Tripwire configuration file…

———————————————-

Creating signed configuration file…

Please enter your site passphrase: 　← 输入“site keyfile”口令（输入后不会显示）

Wrote configuration file: /etc/tripwire/tw.cfg

A clear-text version of the Tripwire configuration file

/etc/tripwire/twcfg.txt

has been preserved for your inspection. It is recommended

that you delete this file manually after you have examined it.

———————————————-

Customizing default policy file…

———————————————-

Creating signed policy file…

Please enter your site passphrase: 　← 输入“site keyfile”口令（输入后不会显示）

Wrote policy file: /etc/tripwire/tw.pol

A clear-text version of the Tripwire policy file

/etc/tripwire/twpol.txt

has been preserved for your inspection. This implements

a minimal policy, intended only to test essential

Tripwire functionality. You should edit the policy file

to describe your system, and then use twadmin to generate

a new signed copy of the Tripwire policy.

———————————————-

The installation succeeded.

Please refer to /usr/local/doc/tripwire/Release_Notes

for release information and to the printed user documentation

for further instructions on using Tripwire 2.3 Open Source.

make[3]: Leaving directory `/root/tripwire-2.4.2′

make[2]: Leaving directory `/root/tripwire-2.4.2′

make[1]: Leaving directory `/root/tripwire-2.4.2′

[root@ centos ~]# vi /usr/local/etc/twcfg.txt　 //修改文本格式的Tripwire配置文件

LOOSEDIRECTORYCHECKING =false　 //找到这一个行，将false的值变为true（不监测所属目录的数据完整性）

↓

LOOSEDIRECTORYCHECKING =true 　 ← 变为此状态

REPORTLEVEL =3　 //找到这一行，将3变为4（改变监测结果报告的等级）

↓

REPORTLEVEL =4　 //变为此状态

[root@ centos ~]# twadmin –create-cfgfile -S /usr/local/etc/site.key /usr/local/etc/twcfg.txt　 ← 从文本配置文件建立加密格式配置文件

Please enter your site passphrase: 　← 输入“site keyfile”口令（输入后不会显示）

Wrote configuration file: /usr/local/etc/tw.cfg

[root@ centos ~]# rm -f /usr/local/etc/twcfg.txt　← 为不留安全隐患，删除文本格式的配置文件

[root@ centos ~]# vi /usr/local/etc/twpolmake.pl　 ← 建立用于建立Policy文件的Perl脚本

#!/usr/bin/perl

# Tripwire Policy File customize tool

# —————————————————————-

# Copyright (C) 2003 Hiroaki Izumi

# This program is free software; you can redistribute it and/or

# modify it under the terms of the GNU General Public License

# as published by the Free Software Foundation; either version 2

# of the License, or (at your option) any later version.

# This program is distributed in the hope that it will be useful,

# but WITHOUT ANY WARRANTY; without even the implied warranty of

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

# GNU General Public License for more details.

# You should have received a copy of the GNU General Public License

# along with this program; if not, write to the Free Software

# Foundation, Inc., 59 Temple Place – Suite 330, Boston, MA 02111-1307, USA.

# —————————————————————-

# Usage:

# perl twpolmake.pl {Pol file}

# —————————————————————-

#

$POLFILE=$ARGV[0];

open(POL,”$POLFILE”) or die “open error: $POLFILE” ;

my($myhost,$thost) ;

my($sharp,$tpath,$cond) ;

my($INRULE) = 0 ;

while (<POL>) {

chomp;

if (($thost) = /^HOSTNAMEs*=s*(.*)s*;/) {

$myhost = `hostname` ; chomp($myhost) ;

if ($thost ne $myhost) {

$_=”HOSTNAME=”$myhost”;” ;

}

}

elsif ( /^{/ ) {

$INRULE=1 ;

}

elsif ( /^}/ ) {

$INRULE=0 ;

}

elsif ($INRULE == 1 and ($sharp,$tpath,$cond) = /^(s*#?s*)(/S+)b(s+->s+.+)$/) {

$ret = ($sharp =~ s/#//g) ;

if ($tpath eq ‘/sbin/e2fsadm’ ) {

$cond =~ s/;s+(tune2fs.*)$/; #$1/ ;

}

if (! -s $tpath) {

$_ = “$sharp#$tpath$cond” if ($ret == 0) ;

}

else {

$_ = “$sharp$tpath$cond” ;

}

}

print “$_n” ;

}

close(POL) ;

[root@centos ~]# perl /usr/local/etc/twpolmake.pl /usr/local/etc/twpol.txt > /usr/local/etc/twpol.txt.out　 ← 建立Policy文件

[root@centos ~]# rm -f /usr/local/etc/twpol.txt 　 ← 删除默认Policy文件

[root@centos ~]# mv /usr/local/etc/twpol.txt.out /usr/local/etc/twpol.txt　 ← 将新建立的Policy文件的名改为默认Policy文件的文件名

[root@centos ~]# twadmin –create-polfile -S /usr/local/etc/site.key /usr/local/etc/twpol.txt　 ← 从文本配置文件建立加密格式配置文件

Please enter your site passphrase:　← 输入“site keyfile”口令（输入后不会显示）

Wrote policy file: /usr/local/etc/tw.pol

[root@centos ~]# rm -f /usr/local/etc/twcfg.txt　← 为不留安全隐患，删除文本格式的配置文件

[root@ centos ~]# tripwire –init　← 建立数据库

Please enter your local passphrase: 　← 输入“local keyfile”口令（输入后不会显示）

Parsing policy file: /etc/tripwire/tw.pol

Generating the database…

*** Processing Unix File System ***

Wrote database file: /usr/local/lib/tripwire/centos.test.com.twd

The database was successfully generated.

[root@centos ~]# vi tripwire-check　← 建立Tripwire运行脚本

#!/bin/bash

PATH=/usr/local/sbin:/usr/bin:/bin

SITEPASS=******** # Site Key Passphrase　← 将星号部分换为Site Keyfile的口令

LOCALPASS=******** # Local Key Passphrase　← 将星号部分换为Local Keyfile的口令

REPORTFILE=/usr/local/lib/tripwire/report/`hostname`-`date +%Y%m%d`.twr

# Run the Tripwire

tripwire –check -r “$REPORTFILE”| logger -t tripwire

# Mail the Tripwire Report to root

cd /usr/local/etc

REPORTPRINT=`mktemp`

twprint -m r -c tw.cfg -r “$REPORTFILE” -L `hostname`-local.key -t 4 > $REPORTPRINT

if [ -z "$(grep 'Total violations found: 0' $REPORTPRINT)" ]; then

cat $REPORTPRINT | mail -s “Tripwire(R) Integrity Check Report in `hostname`” root

fi

rm -f $REPORTPRINT

# Update the Policy File

cd /usr/local/etc

twadmin –print-polfile > twpol.txt

perl twpolmake.pl twpol.txt > twpol.txt.out

twadmin –create-polfile -S site.key -Q $SITEPASS twpol.txt.out | logger -t tripwire

rm -f twpol.*

# update the Database

rm -f /usr/local/lib/tripwire/`hostname`.twd

tripwire –init -P $LOCALPASS | logger -t tripwire

[root@centos ~]# chmod 700 tripwire-check　← 赋予运行脚本文件可执行的权限

[root@centos ~]# ./tripwire-check 　← 运行一次脚本

由于增加了运行脚本本身，也被认作系统被作了改动，会发邮件通知root…查看邮箱回收到监测报告

[root@centos ~]# ./tripwire-check　← 再次运行一次脚本

由于两次连续运行，之间不太可能有文件变更，所以请确认不会发送E-mail给root

[root@centos tripwire]# cat tripwire-report　← 浏览监测报告

Note: Report is not encrypted.

Tripwire(R) 2.3.0 Integrity Check Report

Report generated by: root

Report created on: Wed 23 Aug 2006 05:45:01 AM CST

Database last updated on: Never

===============================================================================

Report Summary:

===============================================================================

Host name: centos.centospub.com

Host IP address: 127.0.0.1

Host ID: None

Policy file used: /etc/tripwire/tw.pol

Configuration file used: /etc/tripwire/tw.cfg

Database file used: /usr/local/lib/tripwire/sample.centospub.com.twd

Command line used: tripwire –check -r /usr/local/lib/tripwire/report/sample.centospub.com-20060823.twr

===============================================================================

Rule Summary:

===============================================================================

——————————————————————————-

Section: Unix File System

——————————————————————————-

Rule Name Severity Level Added Removed Modified

——— ————– —– ——- ——–

Invariant Directories 66 0 0 0

Tripwire Data Files 100 0 0 0

Temporary directories 33 0 0 0

Critical devices 100 0 0 0

(/proc/kcore)

Tripwire Binaries 100 0 0 0

Libraries 66 0 0 0

User binaries 66 0 0 0

Critical system boot files 100 0 0 0

File System and Disk Administraton Programs

100 0 0 0

Kernel Administration Programs 100 0 0 0

Networking Programs 100 0 0 0

System Administration Programs 100 0 0 0

Hardware and Device Control Programs

100 0 0 0

System Information Programs 100 0 0 0

Application Information Programs

100 0 0 0

(/sbin/rtmon)

Shell Related Programs 100 0 0 0

Operating System Utilities 100 0 0 0

Critical Utility Sym-Links 100 0 0 0

Shell Binaries 100 0 0 0

OS executables and libraries 100 0 0 0

System boot changes 100 0 0 0

Critical configuration files 100 0 0 0

Security Control 100 0 0 0

Login Scripts 100 0 0 0

* Root config files 100 0 0 1

Total objects scanned: 17363

Total violations found: 1

===============================================================================

Object Summary:

===============================================================================

——————————————————————————-

# Section: Unix File System

——————————————————————————-

——————————————————————————-

Rule Name: Root config files (/root)

Severity Level: 100

——————————————————————————-

Modified:

“/root/tripwire-check”

===============================================================================

Object Detail:

===============================================================================

——————————————————————————-

Section: Unix File System

——————————————————————————-

——————————————————————————-

Rule Name: Root config files (/root)

Severity Level: 100

——————————————————————————-

—————————————-

Modified Objects: 1

—————————————-

Modified object name: /root/tripwire-check

Property: Expected Observed

————- ———– ———–

Object Type Regular File Regular File

Device Number 64768 64768

File Device Number 0 0

Inode Number 351317 351317

Mode -rwx—— -rwx——

Num Links 1 1

UID root (0) root (0)

GID root (0) root (0)

* Size 953 951

* Modify Time Wed 23 Aug 2006 05:21:26 AM CST

Wed 23 Aug 2006 05:43:10 AM CST

* Change Time Wed 23 Aug 2006 05:21:26 AM CST

Wed 23 Aug 2006 05:43:10 AM CST

Blocks 16 16

* CRC32 Ay0oV9 BDzM8Y

* MD5 BoeMoWfjEKCSLOJCs/E7mj ABQN3hl5wF0PyTcXugPE5U

===============================================================================

Error Report:

===============================================================================

No Errors

——————————————————————————-

*** End of report ***

Tripwire 2.3 Portions copyright 2000 Tripwire, Inc. Tripwire is a registered

trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY;

for details use –version. This is free software which may be redistributed

or modified only under certain conditions; see COPYING for details.

All rights reserved.

[root@centos tripwire]# rm -f tripwire-report　← 删除监测报告

[root@centos tripwire]# cd　 ← 进入Tripwire运行脚本所在的root目录

[root@centos ~]# mv tripwire-check /etc/cron.daily/　 ← 转移脚本到每天自动运行的目录中